☰

🌙☀

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Taegis Docs Home
About XDR
Get Started
- Get Started with XDR
- Top 5 Tasks
Integrate with XDR
- Integration Overview
- Data Source Integration Definitions
- All Available Integrations
- Add Data Collectors
- Add Endpoint Agents
- Forward Data to XDR
- Create Custom Parsers
  - Overview
  - Syntax
  - Repeating Fields
  - Overriding and Extending Global Parsers
  - Supported Schemas
  - All Schemas
    - Antivirus
    - Auth
    - CloudAudit
    - DHCP
    - DNS
    - Email
    - Encrypt
    - FileMod
    - HTTP
    - Management Event
    - Netflow
    - NIDS
    - Process
    - Registry
    - Thirdparty
    - Types
Manage Integrations
Alerts, Events, and Investigations
- Alerts
- Events
- Investigations
- CyberChef
Dashboards
Search and Reports
- Search
- Reports
Automation
- Automation Overview
- Supported Playbooks
- Supported Connectors
- Playbooks
- Connectors
- Automation Authoring
  - Building Connector Definitions
  - Building Playbook Templates
  - Common Expression Language (CEL)
Threat Intelligence, Hunting, and Detection
- Threat Intelligence
- Threat Hunting
  - Hunting with Jupyter Notebooks
- Detectors
- Adversary Software Coverage
  - Adversary Software Coverage
  - Frequently Asked Questions
XDR Admin
- Your Account
- Tenant Settings
APIs, SDK, and Magic
- Using XDR GraphQL APIs
- API Authentication
- XDR Python SDK
- Taegis Magic Jupyter Integration
  - Overview
- Alerts API
  - Using the Alerts API
  - Alerts GraphQL API
- Assets API
- Audits API
  - Using the Audits API
  - Audits GraphQL API
- Automations APIs
- Bring Your Own Threat Intelligence API
  - Using the BYOTI API
  - BYOTI GraphQL API
- Collector APIs
- Investigations API
  - Using the Investigations API
  - Investigations GraphQL API
- Threat Intelligence API
  - Using the Threat Intelligence API
  - Threat Intelligence GraphQL API
- Using the Users GraphQL API
- Using the Tenants GraphQL API
- Using the Countermeasures API
- Using the File Upload API
Secureworks Products, Services, and Policies
- Managed iSensor
- ManagedXDR
- ManagedXDR Elite
  - Service Description
  - Onboarding Guide
- ManagedXDR for OT
- ManagedXDR Enhanced
  - Service Description
  - Onboarding Guide
- ManagedXDR–Managed iSensor Add-on
- Secureworks Professional Services
- Legal

Related Alerts and Events Timeline View

Certain Event Details pages include a View in Timeline option, which opens a new window with filterable tables of the alerts and events related to the selected event. The Timeline of Related Alerts & Events table displays search results in two tabs, one for Alerts and one for Events.

Important

The view of the timeline differs depending on whether you have opted in to the Advanced Search Query Language. If you currently use Advanced Search Builder instead, see Timeline View Using Advanced Search Builder.

To view the Timeline of Related Alerts & Events, select View in Timeline from an Event Details page, or select Related Alerts & Events from an alert.

Timeline of Related Alerts & Events

Update the Search Timeframe ⫘

You can update the search window of the Timeline of Related Alerts & Events.

From the Timeline of Related Alerts & Events page, grab the handles of the timeline bar surrounding the Source Event and drag them to the time before or after you want to search.
Choose Update. Secureworks® Taegis™ XDR returns the alerts and events from that window and displays them in the table below.

Change the Timeline Window

Filter by Event Type ⫘

The Events tab view includes filters for available data types above data table. Toggle these filters to include or exclude event types from the search results table.

Data Types Filter

The table of alerts and events includes the following actions that you can take:

Select/reorder columns
Add and remove columns
Export selected as CSV
Add to Investigation
Add to New Investigation

Note

Column preferences are auto-saved to your XDR user profile.

Timeline View Using Advanced Search Builder ⫘

The following documentation applies if you have not opted in to the Advanced Search Query Language.

Data Type Button States ⫘

Data Types show four possible states:

Active ⫘

An Active Data Type button:

Has a solid, color-filled dot
Indicates that the query will filter for this data type when you select Update

Tip

To move to the Advanced Search editor for a Data Type, select the () icon that appears when you mouse over a Data Type button on the right-hand side. In Advanced Search you can edit the selected query, add conditions, run the query on a different timeframe, or add any other query parameter available to Advanced Search.

View in Advanced Search

Inactive ⫘

An Inactive Data Type button:

Dot has no color, with an outline only
Indicates the query is not showing results for and will not filter for this data type when you select Update

Error ⫘

A Data Type button in the Error state:

Has a yellow color, with an exclamation point in a triangle
Indicates that the query has failed

Cancelled ⫘

A Data Type button in the Cancelled state:

Has a solid, color-filled dot but with the text crossed out, indicating that the filter was selected, but was cancelled (by clicking the X in the button) during the update
Indicates the filter is in an intermediate cancelled state

Cancelled

Cancelled Event Type Filter

Data Types ⫘

The following Data Types are available in the filter:

Data Types

Alerts (ALRT)
Auth Events (AUTH)
Cloud Audit (CAUD)
Command Events (CMD)
DNS Events (DNS)
Filemod (FILE)
HTTP Events (HTTP)
Inspector Process Events (INSP)
Memory Allocation Events (MEM)
Management Events (MGMT)
Netflow Events (NET)
NIDS Events (NIDS)
Process Module Events (PMOD)
Persistence Events (PRST)
Process Events (PROC)
Registry Events (REG)
Script Block Events (SCPT)
Thread Injection Events (THRD)

Most data types are queried with a host_id parameter to return events from the same host that started the selected process, within the period of time specified on the time slider.
The Restrict to the Selected Process for DNS, Management (MGMT), Netflow (NET) & Persistence (PRST) check box option is selected by default and adds parameters to the queries for those event types to only return events initiated from the selected process.
The query time range defaults to ±15 minutes from the selected process from the time slider and can be adjusted to extend to ±6 hours from the process creation timestamp.
A selection of Data Type buttons are selected by default when the Timeline of Related Alerts & Events page initially loads, but you can easily change them and then update the filter.

Related Alerts and Events Timeline View

Update the Search Timeframe ⫘

Filter by Event Type ⫘

Timeline of Related Alerts & Events Table Actions ⫘

Timeline View Using Advanced Search Builder ⫘

Data Type Button States ⫘

Active ⫘

Inactive ⫘

Error ⫘

Cancelled ⫘

Data Types ⫘

Adjustable Query Parameters for Timeline of Related Alerts and Events ⫘

On this page: